In Chapter 4, Implementing the Industrial IoT Data Flow, we analyzed five different options for connecting the edge to industrial data sources, highlighting the strengths and weaknesses of each. The five options that we analyzed were the following:

• Edge on fieldbus
• Edge on OPC DCOM
• Edge on OPC Proxy
• Edge on OPC UA
• OPC UA on controller

We have not yet considered the cybersecurity requirements and constraints for each of these options. In this section, we will understand how to secure them from a networking perspective, according to the standards of the ICS and the related best practices. As we outlined in the previous Common control-network-segregation architectures section , securing the control network is just one of the recommendations of the DiD strategy that can be used to mitigate the cyber risks of the whole control system environments. There are other best practices and specific countermeasures to implement to create an aggregated, risk-based security posture to defend the control systems against cybersecurity threats and vulnerabilities. Such analysis would require its own book and is beyond our scope here. For this reason, we have restricted our analysis of the mitigations of the cyber risks in the ICS to the network architecture, since this plays a key role in the I-IoT data flow. However, the reader can look at this topic in more depth by checking out the links provided in the Further reading section.

For each of the preceding five options, the starting point will be the network schema that we already discussed for the related edge deployment. It will be modified to segregate the control network, mainly through the creation of DMZs that host the shared devices.

Let's start by looking at the edge on fieldbus setup.